Trusted Recovery For a secured system, trusted recovery is recovering securely from operation failures or system crashes. The purpose of trusted recovery is to provide assurance that after a failure or crash, the rebooted system is no less secure than it was before the failure or crash. You must address two ele- ments of the process to implement a trusted recovery solution. The first element is failure prepa- ration. In most cases, this is simply the deployment of a reliable backup solution that keeps a current backup of all data. A reliable backup solution also implies that there is a means by which data on the backup media can be restored in a protected and efficient manner. The second element is the process of system recovery. The system should be forced to reboot into a single-user non- privileged state. This means that the system should reboot so that a normal user account can be used to log in and that the system does not grant unauthorized access to users. System recovery also includes the restoration of all affected files and services active or in use on the system at the time of the failure or crash. Any missing or damaged files are restored, any changes to classifica- tion labels are corrected, and the settings on all security critical files is verified. Trusted recovery is a security mechanism discussed in the Common Criteria. The Common Criteria defines three types or hierarchical levels of trusted recovery: Manual Recovery An administrator is required to manually perform the actions necessary to implement a secured or trusted recovery after a failure or system crash. Automated Recovery The system itself is able to perform trusted recovery activities to restore a system, but only against a single failure. Automated Recovery without Undue Loss The system itself is able to perform trusted recov- ery activities to restore a system. This level of trusted recovery allows for additional steps to pro- vide verification and protection of classified objects. These additional protection mechanisms may include restoring corrupted files, rebuilding data from transaction logs, and verifying the integrity of key system and security components. What happens when a systems suffers from an uncontrolled TCB or media failure? Such fail- ures may compromise the stability and security of the environment, and the only possible response is to terminate the current environment and re-create the environment through reboo- ting. Related to trusted recovery, an emergency system restart is the feature of a security system that forces an immediate reboot once the system goes down. Configuration and Change Management Control Once a system has been properly secured, it is important to keep that security intact. Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to sys- tematically manage change. Typically, this involves extensive logging, auditing, and monitoring of activities related to security controls and mechanisms. The resulting data is then used to iden- tify agents of change, whether objects, subjects, programs, communication pathways, or even the network itself. The means to provide this function is to deploy configuration management control or change management control. These mechanisms ensure that any alterations or changes to a system do not result in diminished security. Configurationchange management controls provide a process by which all system changes are tracked, audited, controlled, iden- tified, and approved. It requires that all system changes undergo a rigorous testing procedure before being deployed onto the production environment. It also requires documentation of any changes to user work tasks and the training of any affected users. Configurationchange man- agement controls should minimize the effect on security from any alteration to the system. They often provide a means to roll back a change if it is found to cause a negative or unwanted effect on the system or on security. There are five steps or phases involved in configurationchange management control: 1. Applying to introduce a change 2. Cataloging the intended change 3. Scheduling the change 4. Implementing the change 5. Reporting the change to the appropriate parties When a configurationchange management control solution is enforced, it creates complete documentation of all changes to a system. This provides a trail of information if the change needs to be removed. It also provides a roadmap or procedure to follow if the same change is imple- mented on other systems. When a change is properly documented, that documentation can assist administrators in minimizing the negative effects of the change throughout the environment. Configurationchange management control is a mandatory element of the TCSEC ratings of B2, B3, and A1 but it is recommended for all other TCSEC rating levels. Ultimately, change management improves the security of an environment by protecting implemented security from unintentional, tangential, or effected diminishments. Those in charge of change management should oversee alterations to every aspect of a system, including hardware configuration and system and application software. It should be included in design, development, testing, evalu- ation, implementation, distribution, evolution, growth, ongoing operation, and application of modifications. Change management requires a detailed inventory of every component and con- figuration. It also requires the collection and maintenance of complete documentation for every system component including hardware and software and for everything from configuration settings to security features. Standards of Due Care and Due Diligence Due care is using reasonable care to protect the interests of an organization. Due diligence is practicing the activities that maintain the due care effort. For example, due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due diligence is the continued application of this security structure onto the IT infrastructure of an organization. Operational security is the ongoing maintenance of continued due care and due diligence by all responsible parties within an organization. In today’s business environment, showing prudent due care and due diligence is the only way to disprove negligence in an occurrence of loss. Senior management must show reasonable due